It is just a fact of life that attackers and defenders are now operating in a dual-protocol world. With the addition of IPv6, attackers are learning new tricks and defenders will need to anticipate and protect against those new attacks. Attackers will try to use IPv4 and IPv6, each alone or in combination, for their exploits. We can predict that attacks will use a combination of IPv4 and IPv6 in a way that could allow an attacker to avoid detection by today's protection mechanisms.

Attackers commonly use a specific methodology when using malware propagation and command-and-control networks for exploitation. However, attackers use a different standard methodology when performing a targeted attack. Attackers start with reconnaissance, exploring and scanning, exploitation, maintaining access, covering up tracks, and leveraging access to expand to other systems. When an attacker is performing reconnaissance, they may only focus on the IPv4 addresses of the target. However, a sophisticated attacker would recognize when a target is reachable over IPv6 transport. If a victim only uses IPv4 then they are reachable only over that one protocol, but if a victim is reachable over both, then the "attack surface" has effectively doubled. An attacker will perform reachability testing and scanning over IPv4 and IPv6, thus doubling their workload. Both attackers and defenders must now do everything twice; once for IPv4 and once for IPv6. Every activity that the attacker performs will use IPv4 and IPv6 to determine if one protocol is less fortified than the other. Then the attacker will leverage the weakest of the two connection protocols.

Attackers have the ability to perform some portions of an application-layer attack on a dual-protocol server using IPv4 and some portions of the attack using IPv6. This could confuse IPSs because it would not be able to determine that these two attacks are related. The situation is much worse if your IPS is not even looking at the IPv6 packets. It is more likely that the IPS will simply inspect each of the connections independently looking for packets that match signatures or trigger anomaly detection thresholds.

This type of a dual-protocol attack could also avoid correlation by the SIEMs. The SIEMs would not recognize that the IPv4 address of the attacker is associated with the IPv6 address of the attacker. The correlation engine is not able to determine that the attacker's source IPv4 address and IPv6 address are the same computer. If an attacker compromises a system with IPv4 and then spreads to other systems using IPv6, the SIEMs would not determine these two activities are part of the same attack. The SIEMs may not even be able to determine that the IPv4 address of the compromised server is configured on the same server that has an IPv6 address that was used for the secondary attacks to other systems.

So, how would a SIEMs determine that a dual-protocol attack is originating from the same source? One approach would be to use some form of metadata or other time-domain commonality to determine that the same attacker is using both protocols in combination to formulate an attack. The SIEMs could try different techniques to trace-back to the source. For example, the SIEMs could perform a whois or DNS query on the IPv4 and IPv6 addresses and see if they are the same organization or FQDN. The SIEMs could do a traceroute to the sources using IPv4 and IPv6 and see if the paths are congruent. The SIEMs may be able to use some type of heuristics to correlate the IPv4 and IPv6 activities. Splunk's Minister of Defense, Monzy Merza, has written and presented on the topic of using metacharacteristics to detect threats. However, it will take time before defenders have IPv4 and IPv6 correlation capabilities built into their protection systems by default.

Reputation systems also have the same challenge in associating IPv4 addresses and IPv6 addresses. With the introduction of CGN/LSN systems, IPv4 reputation filtering may not be long for this world. Many of the reputation filtering system used for detecting e-mail spam or web sites hosting malware do not have IPv6 capabilities. The reputation databases will need to be able to correlate the IPv4 address and IPv6 address of a system hosting malware or a systems generating malicious traffic. However, they are not there yet.

Attackers are learning about IPv6 security at the same pace as IT professionals and at the same pace as IPv6 is deployed on the Internet. There will be those attackers or defenders who are further ahead of their counterparts and will have an advantage over their competition. Even though IPv4 and IPv6 are similar in many ways, IPv6 has several nuances that the security industry needs to take into consideration. The best practice would be to anticipate these challenges and create protection measures ahead of deployment. However, IPv6 is now implemented on the Internet and on many organization's Internet edges. This situations leads to opportunities for attackers that force the defenders to develop strategies to protect their organizations.

Scott

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.